Skip to content

Latest commit

 

History

History
151 lines (114 loc) · 11.8 KB

mitigations.md

File metadata and controls

151 lines (114 loc) · 11.8 KB

Mitigation Strategies Analysis for apache/zookeeper

Mitigation Strategy: Enforce Strong Authentication and Authorization (ACLs) within ZooKeeper

  • Description:

    1. Enable Authentication (zoo.cfg): Modify the zoo.cfg file on all ZooKeeper servers. Set authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider (or a similar provider like DigestAuthenticationProvider). If using Kerberos, configure Kerberos settings (realm, jaasLoginRenew, keytab files, etc.) directly within zoo.cfg and related JAAS configuration files. If using digest authentication, create users and passwords using the zkCli.sh tool (addauth digest user:password).
    2. Configure ACLs (zkCli.sh or API): For each znode (or a parent znode to apply recursively), use the zkCli.sh tool or the ZooKeeper API (e.g., setACL() method) to set ACLs. Specify the scheme (e.g., sasl for Kerberos, digest for username/password), the identifier (e.g., Kerberos principal, username), and the permissions (read, write, create, delete, admin – represented as cdrwa). Example (zkCli.sh): setAcl /myznode sasl:myuser:cdrwa,sasl:anotheruser:r. Example (Java API): zooKeeper.setACL("/myznode", acls, -1);
    3. Client Authentication (Connection String/API): Configure client applications to authenticate with ZooKeeper. This involves providing credentials (Kerberos ticket, username/password) in the client's connection string or through API calls (e.g., zooKeeper.addAuthInfo("digest", "user:password".getBytes());). The specific method depends on the client library.
    4. Regular ACL Review (zkCli.sh): Periodically (e.g., quarterly) review the ACLs on all znodes using the getAcl command in zkCli.sh to ensure they still adhere to the principle of least privilege. Example: getAcl /myznode.
    5. Dynamic ACLs (Custom AuthenticationProvider): If access patterns are dynamic, explore using dynamic ACLs. This involves implementing a custom org.apache.zookeeper.server.auth.AuthenticationProvider and configuring it in zoo.cfg. This provider will dynamically determine permissions based on runtime context.

  • Threats Mitigated:

    • Unauthorized Data Access: (Severity: Critical)
    • Unauthorized Configuration Modification: (Severity: Critical)
    • Unauthorized ZNode Creation/Deletion: (Severity: High)
    • Denial of Service (DoS) via Unauthorized Actions: (Severity: High)
    • Replay Attacks (with Kerberos): (Severity: High)

  • Impact:

    • Unauthorized Data Access: Risk reduced from Critical to Low.
    • Unauthorized Configuration Modification: Risk reduced from Critical to Low.
    • Unauthorized ZNode Creation/Deletion: Risk reduced from High to Low.
    • DoS via Unauthorized Actions: Risk reduced from High to Low.
    • Replay Attacks: Risk reduced from High to Low (with Kerberos).

  • Currently Implemented:

    • Authentication is enabled using Digest authentication in the dev environment (zoo.cfg).
    • Basic ACLs are set on a few key znodes in dev (using zkCli.sh).

  • Missing Implementation:

    • Kerberos authentication is not implemented (zoo.cfg and JAAS configuration).
    • Comprehensive ACLs are missing for many znodes (requires zkCli.sh or API calls for each znode).
    • Dynamic ACLs are not considered (requires custom AuthenticationProvider).
    • Regular ACL reviews are not formally scheduled (getAcl via zkCli.sh).

Mitigation Strategy: Secure Communication (TLS/SSL) Configuration in ZooKeeper

  • Description:

    1. Configure ZooKeeper Servers (zoo.cfg): In the zoo.cfg file on each server:
      • Set secureClientPort to a port for secure client connections (e.g., 2182).
      • Set ssl.keyStore.location to the path of the server's keystore file.
      • Set ssl.keyStore.password to the password for the keystore.
      • Set ssl.keyStore.type to keystore type (e.g., JKS).
      • Set ssl.trustStore.location to the path of the server's truststore file.
      • Set ssl.trustStore.password to the password for the truststore.
      • Set ssl.trustStore.type to truststore type (e.g., JKS).
      • Set ssl.clientAuth=need to require client authentication (or want for optional).
      • For server-to-server communication, configure similar settings under sslQuorum.* (e.g., sslQuorum.keyStore.location, sslQuorum.trustStore.location, etc.).
    2. Client Connection (Connection String/API): Configure client applications to connect to the secureClientPort and to use TLS/SSL. This involves providing the client's keystore and truststore (if client authentication is enabled) in the connection string or through API calls. The specific method depends on the client library. For example, in the Java API, you might use system properties like -Djavax.net.ssl.keyStore, -Djavax.net.ssl.trustStore, etc., or configure an SSLContext and pass it to the ZooKeeper constructor.

  • Threats Mitigated:

    • Man-in-the-Middle (MitM) Attacks: (Severity: Critical)
    • Eavesdropping: (Severity: Critical)
    • Data Tampering in Transit: (Severity: Critical)

  • Impact:

    • MitM Attacks: Risk reduced from Critical to Low.
    • Eavesdropping: Risk reduced from Critical to Low.
    • Data Tampering in Transit: Risk reduced from Critical to Low.

  • Currently Implemented:

    • TLS/SSL is enabled for client-server communication in the dev environment (zoo.cfg settings for secureClientPort, keystore, and truststore).

  • Missing Implementation:

    • TLS/SSL is not enabled for server-to-server communication (sslQuorum.* settings in zoo.cfg).
    • TLS/SSL is not consistently enforced; unencrypted connections are still possible (requires ensuring all clients use secureClientPort).

Mitigation Strategy: Limit ZNode Data Size (Server-Side)

  • Description:

    1. Configure jute.maxbuffer (zoo.cfg): In the zoo.cfg file on all ZooKeeper servers, set the jute.maxbuffer property to a reasonable value (in bytes) to limit the maximum size of data that can be stored in a single znode. For example, jute.maxbuffer=4194304 sets the limit to 4MB. This is a global setting for the entire ZooKeeper ensemble.

  • Threats Mitigated:

    • Denial of Service (DoS) via Large ZNodes: (Severity: Medium)

  • Impact:

    • DoS via Large ZNodes: Risk reduced from Medium to Low.

  • Currently Implemented:

    • jute.maxbuffer is set to a default value in zoo.cfg.

  • Missing Implementation:

    • The default jute.maxbuffer value may be too high; it should be reviewed and potentially lowered based on application requirements.

Mitigation Strategy: Restrict Access to Four Letter Words

  • Description:

    1. Identify Sensitive Commands: Understand which Four Letter Words (FLWs) expose sensitive information or could be misused. dump, conf, and srvr are examples that might need restriction.
    2. Use ACLs (zkCli.sh or API): Use ZooKeeper's ACL mechanism to restrict access to the /zookeeper/config znode (and potentially other relevant znodes). By default, this znode is world-readable. Change the ACL to allow only authorized users or roles to read it. Example (zkCli.sh): setAcl /zookeeper/config sasl:zookeeper-admin:cdrwa,world:anyone:. This restricts access to the zookeeper-admin user.
    3. Consider readonlymode.enabled (zoo.cfg): If you want to completely disable write operations via FLWs, you can set readonlymode.enabled=true in zoo.cfg. This prevents commands like conf from modifying the configuration. However, this is a global setting and affects all clients.

  • Threats Mitigated:

    • Unauthorized Configuration Disclosure: (Severity: Medium) - Prevents unauthorized users from viewing sensitive configuration details.
    • Unauthorized Configuration Modification (with readonlymode.enabled): (Severity: High) - Prevents unauthorized modification of the configuration via FLWs.

  • Impact:

    • Unauthorized Configuration Disclosure: Risk reduced from Medium to Low.
    • Unauthorized Configuration Modification: Risk reduced from High to Low (with readonlymode.enabled).

  • Currently Implemented:

    • None.

  • Missing Implementation:

    • ACLs are not set on /zookeeper/config (requires setAcl via zkCli.sh or API).
    • readonlymode.enabled is not set (requires modification of zoo.cfg).

Mitigation Strategy: Connection Limits (Server-Side)

  • Description:

    1. Configure maxClientCnxns (zoo.cfg): In the zoo.cfg file on all ZooKeeper servers, set the maxClientCnxns property to a reasonable value to limit the maximum number of concurrent connections from a single IP address. For example, maxClientCnxns=60. This is a per-IP limit.

  • Threats Mitigated:

    • Connection Exhaustion (DoS): (Severity: High)

  • Impact:

    • Connection Exhaustion: Risk reduced from High to Medium.

  • Currently Implemented:

    • maxClientCnxns is set to a default value in zoo.cfg.

  • Missing Implementation:

    • The default maxClientCnxns value may not be appropriate; it should be reviewed and potentially adjusted based on the expected number of clients and the capacity of the servers.

Mitigation Strategy: Configuration Hardening (zoo.cfg)

  • Description:

    1. Disable Unnecessary Features (zoo.cfg): Review the zoo.cfg file and disable any ZooKeeper features that are not required. For example, if you are not using dynamic reconfiguration, ensure it's disabled (check for related settings). If you are not using snapshots, you might adjust snapshot-related settings.
    2. Review Timeouts (zoo.cfg): Set appropriate values for timeouts:
      • tickTime: The basic time unit in milliseconds.
      • initLimit: The time (in ticks) allowed for followers to connect and sync with the leader.
      • syncLimit: The time (in ticks) allowed for followers to sync with the leader.
    3. Avoid Default Ports (zoo.cfg): Change the default ZooKeeper ports (2181, 2888, 3888) to non-standard values using clientPort and the server.X settings.
    4. Configure Logging (zoo.cfg and log4j.properties): Set appropriate log levels (logLevel in zoo.cfg and in log4j.properties), configure log rotation, and ensure logs are written to a secure location.

  • Threats Mitigated:

    • Exploitation of Unnecessary Features: (Severity: Medium)
    • Misconfiguration Vulnerabilities: (Severity: High)

  • Impact:

    • Exploitation of Unnecessary Features: Risk reduced from Medium to Low.
    • Misconfiguration Vulnerabilities: Risk reduced from High to Medium.

  • Currently Implemented:

    • Basic logging is configured.

  • Missing Implementation:

    • A comprehensive review of zoo.cfg for unnecessary features and hardening opportunities has not been performed.
    • Default ports are still used (clientPort and server.X settings).
    • Timeout values (tickTime, initLimit, syncLimit) may not be optimally configured.
    • Log rotation and secure log storage are not fully addressed.